Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

URI from x509 certificate is not correctly read by QtopcUa module



  • Hello,

    I’m using Qtopcua module to establish encryptet connection with Opc Ua server. Certifcate which I’m, using works fine for Windows, Linux and Android, but when I’m switching on MacOS or iOs, the part:

    QOpcUaPkiConfiguration m_pkiConfig;
    m_pkiConfig.setClientCertificateFile(pkidir + "/opcuaviewer.der");
    m_pkiConfig.setPrivateKeyFile(pkidir + "/opcuaviewer.key");
    auto m_identity = m_pkiConfig.applicationIdentity(); 
    

    Cause warning form qtopcua module:

    [qt.opcua.security] URI string from certificate has unexpected format: "" Application identity will be invalid.
    

    And connection could not be established because of missing URI in extension. After debugging QtOpcua module I found that there is correct count of extensions (5), and there is an extension with correct name "subjectAltName". So far, so good, but when calling method „toMap()” in "applicationIdentity()", returned map is empty.

    \qtopcua\src\opcua\client\qopcuapkiconfiguration.cpp

    QOpcUaApplicationIdentity QOpcUaPkiConfiguration::applicationIdentity()
    {
        ...
        auto extensions = certList[0].extensions();
        for (const auto extension : qAsConst(extensions)) {
            if (extension.name() == QLatin1String("subjectAltName")) { // OID: 2.5.29.17
                const auto value = extension.value().toMap();
    

    Funny thing that I can successful use method „toString()” on this QVariant but only on MacOs and iOS. So on Windows looks like QVariant "subjectAltName" is QMap (which is correct) and on Apple system somehow it is QString. Module uses method „toMap()” so it should be a correct way.

    I have updated Qt and qtopcua (15.1) and download newest version of mbedtls, but it does not help. I have checked DER certificate with Openssl and it looks fine, all extensions included (the same one works fine on other's systems so it should be).

           X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Key Usage: critical
                    Digital Signature, Non Repudiation, Key Encipherment
                X509v3 Subject Alternative Name: 
                    email:my@other.address, URI:http://my.url.here/
                X509v3 Subject Key Identifier: 
                    EA:59:19:39:BF:1B:CC:22:FB:26:E9:C0:C2:EB:26:52:E2:55:34:EF
                X509v3 Authority Key Identifier: 
                    keyid:EA:59:19:39:BF:1B:CC:22:FB:26:E9:C0:C2:EB:26:52:E2:55:34:EF
                    DirName:
                    serial:01
    

    Did somebody ever, faced similar issue?


Log in to reply